Access Management Policy

Standards for Secure Access Management to Systems and Applications
This sample policy outlines comprehensive standards and procedures for managing access to a company’s systems and applications. It aims to ensure confidentiality, availability and integrity. Sample 1 defines user access roles and responsibilities, approval requirements, review requirements and removal requirements, emphasizing the role of authorized approvers and the necessity of quarterly reviews. Sample 2 focuses on the submission and review of user access privileges, requiring managers to submit lists of users and their access privileges twice a year, as well as detailing procedures for changing and revoking user access.
Sample 3 describes the process for adding users to company systems, including form completion by supervisors and UNIX password rules, while also stressing the principle of restricting privileges based on the need to know. Sample 4 establishes requirements for restricting access to information systems and computer rooms to authorized users, covering identification and authentication guidelines and privileged account management. Finally, Sample 5 provides guidelines for granting, modifying and disabling network user access, including semiannual re-certifications and roles for enforcing the policy. Overall, this policy ensures that access is granted appropriately, regularly reviewed, and promptly removed when no longer needed.
The following procedures must be adhered to during this process:
- All access must be approved in writing by an authorized approver before access is granted to the system or information. This approval must be on a form that specifies the user's required privileges.
- User account administrators must retain access approval documentation.
- Access to each system, application or database must be reviewed at least quarterly.
- HR must immediately notify the IT help desk and application superusers responsible for user access to terminations and job transfers.